Suspicious netstat connections. Any cause for concern?

[Gary Busey]

From time to time I get suspicious netstat connections listed with DNS names
containing "dialup" or "DSL" or "ADSL". The reason these DNS names sound
suspicious to me is because I am doing nothing more than browsing regular
web pages. I do not have any other programs running that would have my
computer make connections with any "dialup", "DSL", or "ADSL" DNS names -
any programs such as P2P software or AOL AIM, streaming videos, etc. I am
just using normal web web browsing, yet I still get these persistent
connections from these "dialup" or "DSL" or "ADSL" DNS names. I would think
that thru regular web browsing, my computer shouldn't be making any
connections to any DNS names with "dialup", "DSL", or "ADSL" in their
names.




An example of the suspicious offenders from my netstat results:


TCP leonardo:epmap dialup-67.30.107.18.Dial1.SanJose1.Level3.net:3757
ESTABLISHED

TCP leonardo:epmap adsl-33-163-234.asm.bellsouth.net:1348 ESTABLISHED


DNS names with 'Level3.net' seem to be a frequent offender.


I am running Windows XP Pro. I've searched through the running processes in
the Task Manager, everything looks normal. I see all the usual running
processes, nothing out of the ordinary. I've looked at my startup, RUN
entries in the registry via regedit. Nothing unusual is loading. I have all
the latest patches, and virus scan done and definitions up to date.

Do these connections sound suspicious to anyone? Any cause for concern?

 

[Chuck]

From time to time I get suspicious netstat connections listed with DNS names
containing "dialup" or "DSL" or "ADSL". The reason these DNS names sound
suspicious to me is because I am doing nothing more than browsing regular
web pages. I do not have any other programs running that would have my
computer make connections with any "dialup", "DSL", or "ADSL" DNS names -
any programs such as P2P software or AOL AIM, streaming videos, etc. I am
just using normal web web browsing, yet I still get these persistent
connections from these "dialup" or "DSL" or "ADSL" DNS names. I would think
that thru regular web browsing, my computer shouldn't be making any
connections to any DNS names with "dialup", "DSL", or "ADSL" in their
names.




An example of the suspicious offenders from my netstat results:


TCP leonardo:epmap dialup-67.30.107.18.Dial1.SanJose1.Level3.net:3757
ESTABLISHED

TCP leonardo:epmap adsl-33-163-234.asm.bellsouth.net:1348 ESTABLISHED


DNS names with 'Level3.net' seem to be a frequent offender.


I am running Windows XP Pro. I've searched through the running processes in
the Task Manager, everything looks normal. I see all the usual running
processes, nothing out of the ordinary. I've looked at my startup, RUN
entries in the registry via regedit. Nothing unusual is loading. I have all
the latest patches, and virus scan done and definitions up to date.

Do these connections sound suspicious to anyone? Any cause for concern?

Gary,

It looks like you have a good start in dealing with this possible
problem. You are observant, and curious.

The key thing to look at are the ip address, and the port number. If
you don't see the same ip address or port number, repeatedly, you are
just seeing random crap. Mostly infected computers, looking for other
infected computers. If your computer is protected in other ways,
you're probably safe.

There are other ways to protect yourself.

I use a Linksys BEFSX41 NAT router for my outermost protection. The
nice things about Linksys routers is that you can get WallWatcher, a
firewall log monitoring program, free. WallWatcher
<http://www.wallwatcher.com/> will automatically submit intrusion
reports, based upon alerts from the router log, to myNetWatchman
<http://www.mynetwatchman.com/default.asp>. MNW is an intrusion
reporting service (also free) that collects reports from thousands of
folks like you and me, aggregates the reports, and identifies and
alerts the ISP for the offending addresses. MNW produces a database
that you can search, by ip address or port number, to see if you have
cause for concern.

Netstat is a good way to start looking at connections on your
computer. Port Explorer is a better way - it has a gui interface, and
it generates an dynamic display. It's free, from
<http://www.diamondcs.com.au/portexplorer/index.php?page=home>. If
you see a suspicious process, Process Explorer (also free) from
<http://www.sysinternals.com/> will help you find out more about that.

Harden your browser. Here are some free websites that will check your
browser security. You should use them regularly, as new exploits are
discovered all the time:
http://www.jasons-toolbox.com/BrowserSecurity/
http://bcheck.scanit.be/bcheck/sid-f9f641f5e091212e5f4a80b1c27fd33b/index.php
https://testzone.secunia.com/browser_checker/

In addition to virus detection, use spyware detection regularly. I
use Spybot S&D and HijackThis (both free). Instructions for
installation:
http://forums.spywareinfo.com/index.php?showtopic=5187

Keep informed. In addition to the many forums talking about the above
products, there are online security websites that keep you up to date
about the latest threats, and hoaxes. Here's one of my favorites:
http://isc.sans.org/

Cheers,

Chuck
I hate spam - PLEASE get rid of the spam before emailing me!
Paranoia comes from experience - and is not necessarily a bad thing.